open-source cryptocard libraries

Troy Benjegerdes hozer at
Wed Jan 17 00:20:00 EST 2007

I have been talking to some people at Cryptocard, and it looks like they
have finally gotten tired of handing out sample code to customers to do
a one-off implementation of kerberos support, and decided they want to
go ahead and release the libraries for the initializer as well as sample
code for generating OTP's as open source. It's not clear what the actual
liscence will be, but one of the goals seems to be the ability to have
native cryptocard support released as part of MIT and Heimdal kerberos.

In my case, I'd like to support the KB-1 token, which has a secret AES
key, known only to the token and the authentication server (in this case
the KDC). There is also a shared secret seed value which is re-encrypted
at every successfull authentication to generate the next seed value.
The problem I can see at the moment, is that this requires that slave
KDCs now be able to replicate the last seed value back to the master
KDC. I could see this being a relatively minor hack to Heimdal's iprop
protocol. How to do this with MIT kerberos seems a bit more .. messy..

What thoughts do people have on this problem? Multi-master LDAP backends
would provide an 'enterprise-class' backend, but something about putting
critical secret keys in LDAP seems wrong to me.. In some cases it's
necessary, but I would like to be able to implement two factor and
replicated KDC's without having to resort to an LDAP backend to support

Troy Benjegerdes                'da hozer'                hozer at  

Somone asked me why I work on this free (
software stuff and not get a real job. Charles Shultz had the best answer:

"Why do musicians compose symphonies and poets write poems? They do it
because life wouldn't have any meaning for them if they didn't. That's why
I draw cartoons. It's my life." -- Charles Shultz

More information about the krbdev mailing list